ICT Processes. Standard Operating Procedures and Good Practices. Prepared In January 2002 By OMSAR

Transcription

1 ICT Processes Standard Operating Procedures and Good Practices Prepared In January 2002 By OMSAR

2 Table of Contents 1.0 Preliminary and Administrative Activities... 1 Activity 1 : Define Business Objectives as Related to ICT...2 Activity 2 : Initiate and Plan the Good Practices Project...3 Activity 3 : Collect Documents Relevant to the Project...5 Activity 4 : Conduct Risk Management for the Good Practices Project...6 Activity 5 : Establish Proper Communication Schemes...8 Activity 6 : Setup a Performance Measurement Process Activity 7 : How to Implement Standards Activity 8 : How to Manage ICT Projects Activity 9 : Setup the Configuration Management Process Managing ICT Human Resources Activity 10 : Organize the Structure of the ICT Unit Activity 11 : Identify the Required Competencies per Position Activity 12 : Identify Actual Competency Levels of all Staff Activity 13 : Analyze Competencies to Identify Training Requirements Activity 14 : Identify Training Resources Activity 15 : Manage Training Material Activity 16 : Maintain Training Records Activity 17 : Define Recruitment Standards Relationships with Suppliers Activity 18 : Prepare a List of Supplier Products and Services Activity 19 : How to Audit or Qualify Suppliers Activity 20 : Prepare an Agreements Register Activity 21 : Evaluation of Suppliers, Products, Projects or Alternatives Activity 22 : Recommended Issues to Consider in ICT Agreements Including Technical Specifications in Agreements Schedule and Timing of Product Deliveries Costing and Other Financial Issues Software Upgrades and Updates The Supply of Source Code Suggested Solutions Data Structure vs Source Code Maintenance and Warranty Services Warranties and Maintenance on Equipment Warranties and Maintenance on Software Terms Applying to Both Hardware and Software Support Agreements Ensuring Continuity of Services Delivery and Acceptance Criteria Authorization of Staff Copyrights and Intellectual Property Qualification Processes Activity 23 : Specification Qualification (SQ) Activity 24 : Installation Qualification (IQ) Activity 25 : Operational Qualification (OQ) Activity 26 : Performance Qualification (PQ) Logical System Access and Security Activity 27 : Identify Functions to be Secured Activity 28 : Assign Privileges and Access Rights Activity 29 : Assign, Distribute and Control Passwords... 68

3 Activity 30 : ISO Standards for Security Physical System Protection, Access and Security Activity 31 : Infrastructure Server and Other Rooms Activity 32 : Infrastructure Cabling Activity 33 : Infrastructure Networks Activity 34 : Assign Physical Access Privileges Activity 35 : Assign, Distribute and Control Passwords Activity 36 : Insure the ICT Systems Information Integrity : Backup / Archiving and Data Protection Activity 37 : Identify What is to be Backed Up and When Activity 38 : Backing Up Activity 39 : Identify What is to be Restore Tested and When Activity 40 : Restore Testing Activity 41 : Good Back Up Practices Activity 42 : Protection Against Viruses Information Integrity : Business Continuity Planning Business Continuity Plans Classifying Disasters Activity 43 : Disaster Recovery Procedures Activity 44 : Disaster Recovery Good Practices Activity 45 : Business Continuity Contingency Plans Software Application Development Activity 46 : Using a Software Development Process Activity 47 : Software Development Tools Activity 48 : Programming Standards Activity 49 : Selecting Software Applications Operations Management Activity 50 : Logging Maintenance and Support Activity 51 : Control Dissemination of Hard Copies and Distribution Activity 52 : Good Practices for User Support Activity 53 : Managing the Supplies of the ICT Systems Activity 54 : Documenting Data Entry Procedures Activity 55 : Standard Data Entry Checks and Controls Activity 56 : Using and Supporting Office Technology Products Environment Management Activity 57 : Define the Required Environmental Conditions Activity 58 : Monitor Environmental Behavior

4 1.0 Preliminary and Administrative Activities The Guide commences with a set of Activities that are general. They do not fall under any specific Information Process. Most are fundamental processes in that they apply to the whole Department. The ICT Processes Page 1

5 Activity 1 : Define Business Objectives as Related to ICT Objectives : this Activity defines the steps needed to establish Policies and Goals for using its current and projected ICT Systems. This Activity also assesses the degree to which business/organizational plans and ICT plans are aligned. It determines the appropriateness of the mechanisms for establishing the priorities of ICT investments (New projects, changes to existing systems, etc). It establishes the governing rules and structure of the ICT unit as a whole. Of critical importance is an assessment of ICT spending. Questions such as the following should be asked and answered : What is each ICT System for? What does the Department expect from each system? How do the systems impact the general strategy of the Department? Who are the beneficiaries of the Department s ICT Systems? What are the Technologies selected for current and projected systems What is the justification for such selection? (Financial and otherwise) How does each system contribute to the Products and Services the Department is to provide to the Citizen? Or to other Departments? Or to the outside world? What are the key performance indicators to be measured and tested to establish the success of the system? What are the challenges facing the ICT Systems? What are the main risks facing the implementation of the Systems? What is the structure of the ICT unit setup to handle all the ICT processes? Scope of usage : to cover all ICT Systems under current use or that are projected for future use. Risks : should such goals and policies not be defined, the Department risks acquiring the wrong systems, using them in the wrong manner or even not estimating budgets properly. Documentation and Deliverables : prepare a document that responds to the above questions and any others that the Department finds crucial. Such a document would therefore establish the ICT strategy and plan for the Department. The ICT Processes Page 2

6 Activity 2 : Initiate and Plan the Good Practices Project Objectives : the Good Practices Project is an ongoing process. The Department will benefit from an ongoing application of Good Practices. The Good Practices to be implemented in the Department should form part of a long term Project that is well planned, executed and monitored. The objectives of this Activity are to plan the Good Practices Project according to modern project management techniques. Scope of usage : restricted to the Good Practices Project. The Project will not be involved in any other ICT projects except in so far as it may propose and implement good practices for them. Risks : should the Department not plan the Good Practices project properly, it risks the following : Undefined or unclear scope of the Project (Too wide or too narrow) Undefined or unclear deliverables Undefined or unclear communications channels Undefined or unclear authorizations Improper scheduling of the the Project Poor definition of a Project Team : responsibilities, authorities, etc. Improper acquisition of resources required by the Project such as documentation, project management, electronic documentation support, etc. Critical Risk : one of the major risks involved is that of the Department not having a Project Manager nor being able to assign a Project Team for the Project. This is a serious situation and can be known in advance. It is suggested that the Department contact OMSAR in such a case to study various other alternatives such as outsourcing, assistance by other Departments, etc. Standard Operating Procedure : 1) Define the Project Scope, Objectives and Goals. 2) Assign a capable Project Manager. Usually, this would be the Head of the ICT Unit. However, in the case where the Unit has not been formed yet, the Management may find other parties for this role. 3) Identify all stakeholders of the project. Stakeholders are all parties within and outside the Department that may have a positive or negative interest in the Project. 4) Ensure that the Project Objectives are understood by all stakeholders or persons with active interest in the project. To do that, refer to the document developed in Use the document arrived at in Activity 1) 5) Analyze the Guide of Good Practices to identify the ICT Processes of interest to the Department and to determine the Activities that the Department needs to implement. The ICT Processes Page 3

7 6) Identify Alternatives and Options to such Activities. The Department may find that there are other Activities it needs to implement as Good Practices which are not mentioned in this Guide. This would be the right time to identify such Activities and add them to the overall list required by the Department. 7) Define and establish the three main elements of any project. These consist of the core elements of the Project Plan : The functions and features of the Project (Deliverables) The phasing, scheduling and sequencing of Activities The estimates of the costs and resources needed to complete the Project 8) Highlight all exclusions : these are usually functions within the Project that some stakeholder will assume are part of it but may not be. Identifying them at this stage would save a lot of time and avoid disputes. 9) Identify all Project constraints. The assumptions are the Implied needs of various Stakeholders. Convert implied needs to stated needs or drop them from the Project. 10) State all assumptions. Assumptions often relate to various aspects of the Project or the ICT Processes. Assumptions usually hide implied needs and cause gaps between what was promised and what was delivered. This would reduce the Quality of the Project. 11) Carry out Risk Analysis and Manage the Risks. (Refer to Activity 4) 12) Based on the above, define the Project Team, their responsibilities, authorities as well as their lines of reporting. Typical roles in the team can be : Management Staff from the ICT Unit Quality assurance or Internal auditors or inspectors The units in which the systems are used Refer to the note at the beginning of this Activity that points to the risk of not being able to identify or assign such a team. Some of the above activities will be expanded as specific Activities in the following pages. Documentation and Deliverables : the above definitions result in a Project Plan. This has to be documented and circulated to all Stakeholders for final approval. Good Practices and Recommendations : it is always critical to implement modern Project Management practices. Ensure that the Project Manager has a good experience in the above activities. Acceptance Criteria : this Activity is considered accepted when a Project Plan is approved. The ICT Processes Page 4

8 Activity 3 : Collect Documents Relevant to the Project Objectives : to collect all documents that will be of use during the various stages of the Good Practices project. Such documents should be verified to be correct and up to date. Scope of usage : documents related to the Department as a whole as well as to the ICT Systems in use by the Department. Risks : should such documents not be available nor be up to date, time would be lost during the completion of the various activities to collect and bring them up to date. Standard Operating Procedure : 1) Identify all existing documents that should be used such as : Department charter Ministerial decrees Various lists and registers Studies relevant to the ICT Systems Mission statements Vision statements Goals and Objectives Strategies for reaching such goals 2) Catalog such documents under a Register until they are subsumed under the proper Activities. The Register would include the document names, type, status and location. 3) Ensure that all documents are up to date. Documentation and Deliverables : all the above documents along with the Register that identifies them. The ICT Processes Page 5

9 Activity 4 : Conduct Risk Management for the Good Practices Project Objectives : in the early stages of the Good Practices project, the Department is bound to face many unknowns. This Activity presents a procedure for analyzing and mitigating the risks facing the Department. This would allow it to avoid problems during the later stages. A detailed discussion of Risk Management is presented in the Appendix of Supplementary Material of Supplementary Material. Risk Management should be carried out by the Project Manager. Scope of usage : the whole Project itself. Note that at this moment, the Department should not be concerned with Risk Management for its own ICT Systems. Risk analysis for the ICT Projects of the Department should be handled within those projects. Risks : Not being aware of how Risk Management takes place. Spending too little or too much time analyzing Risks Closing down the Project or specific Activities if major risks are found rather than attempting to resolve them Hiding risks from the eyes of the Management Improper assessment of probabilities and impacts. Standard Operating Procedure : Follow the details provided in the Appendix of Supplementary Material of Supplementary Material. Here follows a summarized procedure of Risk Analysis and Management : 1) Identify all events which may damage the Project 2) Assess the Risk or the likelihood or probability of each event taking place. This is expressed as a percentage ranging from 0% (Not likely at all) to 100% (Certain to take place). 3) Assess the Impact on the project should each event take place. Impacts are assessed as a percentage that ranges from 0% (No significant impact at all) to 100% (Catastrophic impact). 4) For information s sake, an impact should also be assessed in terms of the financial or time loss it might cause. For example, there are two events have 70% impact each. One results in a $200,000 loss while the other results in a 50 day delay. This is useful because it gives the Department a better way of assessing impact. 5) Find the Exposure : Multiply the Risk (From Step 2) by the Impact (From Step 3) for each event. This is the exposure of the Department to this risk. This will be a number that is between 0% and 100%. 6) List all Risks sorted by decreasing Exposure The ICT Processes Page 6

10 7) Compute the Total Exposure of the Project by adding all Exposures. 8) Address the topmost exposed events and find ways to manage the risk. This can be managed by reducing the probability and/or by reducing the impact. Documentation and Deliverables : a risk analysis document for the project as per the structure proposed in the Appendix of Supplementary Material of Supplementary Material. Good Practices and Recommendations : 1) Ongoing Review of Good Practices Project : review Risk Analysis during all stages of the Project. The purpose would be to learn from earlier analysis as well as to ensure that (a) none of the risks are still likely and (b) there are no new risks. 2) Risk Analysis for the Rest of the ICT Systems : should be carried out on the ICT Systems should any of the following situations arise : New projects are launched Before the commencement of every major phase Troublesome spots are found in a Project New management take over the Project New software or systems are introduced Changes in the organization take place Changes in technology take place Risk Analysis cannot be underestimated. It is usually the only way to avoid future problems. Acceptance Criteria : upon submission of the Risk Analysis document along with the proposed solutions to all risky events, this Activity would be considered complete. The ICT Processes Page 7

11 Activity 5 : Establish Proper Communication Schemes Objectives : Since the Project relies heavily on following Quality practices, it follows that Communication between all concerned parties has to be properly defined for the overall project. The objective of this Activity is to define the Communications schemes of the Good Practices Project. Scope of usage : the scope of the Project. Risks : should the Department not have a proper Communications scheme for the Project, the following risks may arise : Improper implementation of the Project Plan Lost information Activities that are not properly carried out nor completed Disputes between concerned parties Improper monitoring of the Project and hence loss of control Standard Operating Procedure : 1) Issue the Project Charter : this is a document that formally recognizes the existence of the Project and is the trigger for its launch : The Charter is generally in the form of a memo or a letter by the Management It clearly identifies the Project Champion or the main driving force behind the Project and would probably be issued by that person. It lists other elements such as : the Project s title, date of authorization, Project Manager s name, contacts and duties, a brief scope statement for the Project, a summary of the planned approach for managing the project. 2) Prepare a list of all persons involved in the project : the Management Responsible for the Project, the Project Team, the ICT personnel who will assist the Project Team, key Users, other parties outside the Department. 3) Define the roles and responsibilities of each person on the Project 4) Define the communication level to be established within the Project : What information to distribute? Who to send it to? When to issue letters, reports, minutes, analyses, etc.? Who is to issue such documents? Who gets copied? Where is the communication stored? What registers control the issue of such communications? 5) Identify the repository where such documents are to be kept and archived. Documentation and Deliverables : the documents listed in the above SOP. The ICT Processes Page 8

12 Good Practices and Recommendations : it is best that electronic copies be kept of all such documents. Furthermore, key documents should be subsumed under the Configuration Management activity. Acceptance Criteria : the Activity is considered completed when all the documents mentioned in the above SOP are collected and approved by the Management, the Project Manager and all involved parties. The ICT Processes Page 9

13 Activity 6 : Setup a Performance Measurement Process Objectives : Performance Measurement is one of the key managerial techniques in the modern world of organizations. What a Department can measure, it can manage. This Activity presents how a Department can prepare various metrics needed for performance measurement of ICT Systems. Scope of usage : all aspects of work involving ICT. However, there is no reason why the same methods cannot be used for other non-ict processes in the Department. Risks : not introducing a performance measurement scheme may lead to the following risks : Measuring the wrong things Using the measures for the wrong reasons or taking the wrong decisions Taking measures irregularly resulting in fragmented series Not having the proper information about various processes Standard Operating Procedure : 1) Identify the Areas of Concern the Department needs to measure. Based on the currently popular Balanced Scorecard, these are usually grouped in 4 major areas : Financial areas Citizen based areas Internal Business Processes (Operations including ICT indices) Learning and Growth (Includes Human Resources) 2) Prepare the Metrics for each of these areas. Examples : Citizen satisfaction as measured by an index usually prepared through a survey and computed using the Weighted Index Scoring Procedure (Refer to the Appendix of Supplementary Material of Supplementary Material). Number of vouchers entered in one day, week or month Number of documents returned per month because of error Number of complaint cases raised against the department per year Volume of transactions handled by the server per hour 3) Measurement Schemes : develop a document that defines how each of the measurements can be taken and recorded. More importantly, define within the document the Indicators that help the Department recognize whether particular measurements are within or outside decision making areas. For example, if the proportion of erroneous vouchers reaches more than 10% of the total, the Department will need to look into what is causing such errors and remedy the cause. The figure of 10% is thus an indicator. The decision making zone is any measurement above 10%. The ICT Processes Page 10

14 4) Prepare databases, registers, tables or cards that can be used to register the measurements. 5) Analyze the measurements on a regular basis for decision making. 6) When problem areas are identified through such measurements, develop remedial actions to resolve them. Documentation and Deliverables : 1) The Areas of Concern and the individual performance measurements showing the indicators for each. 2) Measurements procedures which show how each measurement is to be taken. 3) Measurement results : statistics, tables or databases. 4) Recommendations and remedial actions that define the actions taken to remedy problem or improvement areas. Good Practices and Recommendations : 1) It is very practical to use a spreadsheet to record all the measurements. It makes it easier to analyze and chart them and analyze their trends. 2) It is highly recommended to use Statistical Process Control procedures (SPC) that are in common use in Quality Control in the manufacturing sector. 2) Communicate the purpose behind the measurements. Very often, personnel are suspicious of measurements as they might consider such activities as infringing on their behavior. 3) Remain consistent with measurements. Changing the nature of the measure over the years stops the Department from analyzing trends and growths. The ICT Processes Page 11

15 Activity 7 : How to Implement Standards Objectives : ICT goes regularly through phases of confusion followed by standardization. Many aspects of ICT processes need to conform or comply with some established standard. This Activity provides some Good Practices regarding the compliance with Standards. The benefits of complying with standards are the following : 1) To avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements 2) To ensure compliance of systems with organizational policies and standards 3) To ensure that various standards set by the Department s Management, international bodies, other Government agencies are implemented and that the ICT Processes within the Department are compliant with them. Scope of usage : all Information Processes. Standards may be external standards issued by agencies outside the Department or Government such as the Control Agencies, International Standards bodies, etc. They may also be internal standards setup by the Department itself. For example, the Department may issue a standard for PC configurations covering the following : clerical PCs, PCs for engineers and PCs for management. Risks : not complying with standards may result in Legal infringements Inefficient ICT processes Drop in quality Standard Operating Procedure : 1) Identify the standards in question. These may be standards such as the following : Cabling standards : cable speeds, bending radius, maximum lengths, etc ISO9000 standards Year 2000 standards (Though we are after 31-Dec-1999, problems still exist) Standards set by Software Development Processes such as documentation forms, programming standards, coding techniques, database definitions, etc Auditing standards set by the various Control Agencies in the Government Arabic software standards Purchasing standards set by Tendering Committees or Donors Etc. 2) Train the ICT Unit staff so that they can identify the areas of applications and implement and monitor the standards. 3) Implement the standards as part of properly managed projects. The ICT Processes Page 12

16 4) Monitor and audit compliance as an ongoing activity Documentation and Deliverables : 1) A list of all standards to be complied with 2) Documents that define the standards. 3) Implementation procedures 4) Tests that verify compliance 5) Results of the tests prepared on a regular basis Good Practices 1) The ICT Unit should be constantly on the lookout for standards that may be emerging. Often, getting familiar with a standard during its inception will result in more efficient implementation. 2) Various standards such as the various ISO levels need to be purchased as they are not available in the public domain. It is a good practice to budget for such acquisitions and to constantly revert to the related web sites for information about upgrades and their related costs. The ICT Processes Page 13

17 Activity 8 : How to Manage ICT Projects Objectives : Project Management is an organizational discipline that is becoming more and more accepted as part of ICT life. A major area of inefficiency in ICT Units is the lack of proper Project Management. This Activity emphasizes the role to be played by Project Management in ICT Projects, specifically that of the Project Manager. Scope of usage : covers all types of ICT Projects whether handled by the Department or by its Suppliers. Risks : Projects without management will eventually fail. Failed projects will not meet their functional promises, their budgets nor their deadlines. Projects without managers will fail in the same manner. Managers without the right experience, profile and authority will not be able to manage projects properly. Good Practices and Recommendations : 1) Responsibilities of the Project Manager : it is necessary that the Supplier appoint a fully responsible Project Manager no matter what size or scope the agreement has. It is also critical for the Department to appoint its own Project Manager. These two persons will work as counterparts jointly assuring the success of the project. The following is a list of responsibilities or functions a Project Manager has, irrespective of whether the post is on the side of the Supplier or the Department : Reports to Senior Management The Manager is the Primary Driver of the Overall Project completing such activities as : planning, execution, monitoring and control Coordinates between all parties Manages product scope and specification Manages resource allocation Manages project scheduling Tracks and monitors all Project activities Communicates project status and progress Facilitates team communications and interactions Communicates with project stakeholders Decides on key or critical trade off decisions Analyzes and manages risks Manages change control and configurations Implements Quality Assurance to ensures that the project maintains it Quality 2) Modern Project Management techniques : project Management principles apply to all types of projects. Essentially, general Project Management is not very different from ICT Project Management. The main differences lie in the The ICT Processes Page 14

18 management of the scope of the products, ie, technical issues. ICT Projects require the following additional principles and methods : The use of business modeling for systems analysis and design The use of standard Software Development Processes (Review Activity 46 : Using a Software Development Process). The implementation of team structures is very specific to ICT processes, especially those that handle software development. The content of the following general Project Management processes would be different for ICT although the techniques are be the same : risk management, quality control, costing, configuration management. It is recommended that the Department look into the possibility of training their own staff in ICT Project Management. One web site to visit is the Project Management Institute s website : www. pmi.org. It is a focal point of modern and standardized project management practices. 3) Project Management Software : even if Project Management principles are not learnt with proficiency, it is still highly recommended that the team use a standard Project Management software such as Microsoft Project ) The Department should establish standards for Project Management to be applied internally as well as requested from Suppliers. The latter can be part of the issued Requests for Proposals. (Review Activity 7 : How to Implement Standards). 5) The Department should establish Performance Measurements and Indicators for its own Projects. (Review Activity 6 : Setup a Performance). The ICT Processes Page 15

19 Activity 9 : Setup the Configuration Management Process Objectives : to setup a Configuration Management process, maintain it and benefit from the results of the information it produces. Configuration Management controls all components in an ICT System such as software, hardware, network components, documentation, training material, media, password lists, etc. It also implements a change control procedure to control and track all changes to the initial configuration. In the Appendix of Supplementary Material of Supplementary Material, the Guide defines the whole Configuration Management Process. Scope of usage : the scope of the Configuration Management process totally depends on what the Department wishes to include in the Configuration. At the most minimal level, this would cover the ICT System hardware, network components and software items. However, many other elements can be added. Risks : not launching a Configuration Management process will lead to the following damages : The Department will not know what is included in the ICT Systems which will causes losses, open the system to pilferage, etc. The Department will have a difficult time updating, upgrading or gathering information about the status of the system. Changes will take place in an ad hoc and uncontrolled manner leading to discrepancies, losses, mismatches and other problems. This is especially damaging in the case of software systems under development. Standard Operating Procedure : This procedure closely follows the detailed processed defined in the Appendix of Supplementary Material of Supplementary Material. The steps discussed in the Appendix are summarized below. Standard Operating Procedure : Preliminary and One Time Tasks 1) Determine which Configuration Management software the Department wishes to use to manage the Configuration. Once this is determined, it can be acquired or developed and made ready for use. 2) Develop a Product Numbering Scheme and Hierarchy 3) Develop other coding schemes that may be used such as tag numbers, etc. 4) Identify and Determine the Configuration elements, items, components, etc. 5) Setup all items on the Configuration Database as they are on a specific date. This becomes the Baseline Configuration. All subsequent additions, deletions and modifications of items in the Configuration must adhere to the Change Control System defined next. The ICT Processes Page 16

20 6) Develop a Change Control Mechanism. This will allow the Department to control all additions, deletions and modifications of any item on the Configuration. Standard Operating Procedure : Ongoing Management of the Configuration 1) Use the Change Control System to ensure that any change to the Configuration is subjected to the following process : Define the information needed to prepare a Change Request Request the change Analyze the Request : reason, impact, timing, costs, etc. Approve or reject the Request (Or request additional information) Implement the Change Record the Change in the Configuration Database 2) Changes such as the following are also subject to the same mechanism : addition of new items to the ICT Systems, deletion of items or their removal or uninstallation as well as any changes such transferred locations, upgrades, etc. 3) Monitor and Track the Configuration through the analysis of the information being processed in the Configuration. (Review the Appendix of Supplementary Material of Supplementary Material for a more detailed list of such information). Good Practices 1) What to include in a Configuration? The Configuration can include but not be restricted to the following items (In alphabetic order) : Business Modeling Diagrams Cabling Compilers Databases Design specs DLL s and ActiveX Components Documentation Hardware components and units (PCs, modems, scanners, printers, etc.) Integrated Development Environments Network components and units Object code components Operating Systems Power components and units Prototypes Queries RDBMS (Servers, clients, etc) Screen designs Servers Shell scripts Site units Environment units and test equipment The ICT Processes Page 17

21 Software Applications Software Tools Source Code Style sheets (CSS) Telecommunications components and units Test Data Test Plans Upgrades and Patches Web Pages XML Schemas Etc 2) Include Minor Databases and Registers : throughout most of the Activities of this Guide, there is a constant recommendation to setup minor databases, lists or registers as a means of documenting procedures. If the Department sets up a Configuration Management process, it is advisable to setup these databases or lists on the Configuration database. The following are examples of such items : Agreements Agreements with Suppliers Backup media Data sheets submitted by Suppliers for various equipment Items under maintenance agreements List of suppliers List of supplies Project plans System manuals and documentation Training institutions Training material Workshops and courses of such institutions Documentation and Deliverables : Over and above the actual software application to be used for Configuration Management, the Appendix of Supplementary Material lists a variety of different analytic reports to be reaped from such an application. The ICT Processes Page 18

22 2.0 Managing ICT Human Resources Human Resources are one of ICT s major problems. The Technology is changing. Staff are not progressively trained. Job Classifications are faulty and neither reflect the Department s needs nor the qualifications of the recruits. Responsibilities, generally horizontal in the ICT environment, are not clearly understood nor efficiently implemented. All of the above lead to inefficiencies and risks such as : Poor performance in all areas of ICT Errors, rework, reruns, etc. High turnover of staff Demotivated staff Regressing technical knowledge and competence Problems within Project Management due to improper staff responsibility allocations The following sets of Activities provide some Procedures and Good Practices related to ICT Human Resources. These Activities are supported by an extensive section in the Appendix of Supplementary Material regarding the Organization of a typical ICT Unit. The ICT Processes Page 19

23 Activity 10 : Organize the Structure of the ICT Unit Objectives : to define the Organizational Structure of the ICT Unit according to modern principles. Different periods in ICT history have required different types of personnel with different relationships. Different organizations operating in different environments have also constantly had to change their structures. Hence, the Guide will not be able to propose a standard Organization Chart for ICT Units. The Guide will propose a generic Organizational structure that can be used as the basis for specific Units in each Department. Such a structure is presented in the Appendix of Supplementary Material of Supplementary Material to avoid disrupting the flow of Activities. Scope of usage : the ICT Unit in the Department. However, some Departments might have small isolated ICT units following major Directorates or Agencies that report to the Ministry. These have to be considered as part of the overall structure even though they may not report directly to the ICT Unit Director. Risks : an ICT Unit without a properly understood structure is subject to disruptive behavior : Overlap in responsibilities will cause tension and errors. Specific responsibilities or functions might be left unaccounted for leading to improper performance. Personnel will team up in political or social groups causing damage to the overall work. The structure cannot easily be modified as technology changes. Personnel will not be able to view their career path which is demotivating. Standard Operating Procedure : The Guide will use the term Position instead of a Job. The term position defines a position that is created by the Department for a specific purpose. This position may or may not be filled. 1) Identify all positions in the ICT Unit and the positions they report to. 2) Use a minor database to setup at least the following data elements for each position : Description Date created Grade / Subgrade Date filled Staff ID Position it reports to Responsibilities (Text) The responsibilities of each person would be as they are doing the work today. It would help to have the persons write down what they assume is their job. The difference between what Management considers their job and what they consider their job can often resolve a lot of issues. The ICT Processes Page 20

24 3) Start by charting the ICT Unit on an AS IS basis. 4) Proceed by converting existing titles to industry standard nomenclature as presented in the Appendix of Supplementary Material of Supplementary Material. This would help clarify the responsibilities of each person. This is a Position Classification exercise which is necessary for the other Activities discussed below. 5) Continue by reshuffling responsibilities to fit the new structure for the Department. 6) If a position is occupied, ie, not vacant, link that position to a simple Employee record containing at least the following data elements : Staff ID Name Title Date of birth Date of joining the department Educational level (Linked to multiple records) Work experience (Linked to multiple records) By now, the Department should have a fully detailed Organization Chart showing which staff is in which position. Documentation and Deliverables : The above Chart can be in a hard copy but it is recommended to have it in an automated form. Such a form can be as simple as a spreadsheet, a minor database application or a diagram. Acceptance Criteria : The Organization Chart needs to be approved by the Management of the Department before it becomes official. The ICT Processes Page 21

25 Activity 11 : Identify the Required Competencies per Position Objectives : to identify which Competencies are required for each Position in the ICT Unit. Competency is a special ability a staff member acquires through training, education or experience. Within the ICT world, this could vary from technical to non-technical competencies. Competence is a major issue in ICT. The Technology changes so fast that staff who are considered experienced this year may be without much experience in a year s time. Upon defining competencies, they can be used in the following areas : A position can be defined by its required Competencies The staff s actual Competencies can be identified to assess their fit Training courses can be defined by the Competencies they enhance Competencies can be tested for in staff performance evaluations Scope of usage : the whole Department but specifically, the ICT Unit. Risks : not defining competencies will lead to the following risks : Improper evaluation of staff Inefficient training A poorly defined Organizational Structure Good Practices and Recommendations : 1) Identify Expected or Required Staff Competencies for each Position by listing all experience, knowledge, education or training that each position should have. 2) Review lists of training courses for ICT personnel. This would identify Competencies that may be required. 3) Group competencies under some classification in order to analyze them jointly. The following example takes a generalized approach by grouping typical Competencies under two groups : Non-Technical PC literacy Managing Teams Project Management Configuration Management Human Resources Development Training Business correspondence Presentation skills Reception work English (Writing Level) Arabic (Writing Level) Etc The ICT Processes Page 22

26 Technical Developing in Visual Basic Developing in Java XML NT Server Certification RDBMS Design Autocad Lotus Notes Microsoft Certified Professional (MCP) Microsoft Certified Systems Administrator (MCSA) Microsoft Certified Systems Engineer (MCSE) Microsoft Certified Database Administrator (MCDBA) Microsoft Office User Specialist (MOUS) Etc 4) Within each Competency, it may be useful to define several attainment level. For example, Office 2000 capabilities can be defined at beginner, intermediate and advanced levels. The same may apply to Languages : Spoken, Read or Written levels. 5) Review all new technologies being introduced in the Department to establish whether additional Competencies are to be considered or not. 6) Avoid defining Competencies in a broad manner. This would disable the Department from evaluating whether a specific person has reached the required performance. It would also stand in the way of clearly identifying training requirements. Try to have a highly focused definition of each competency. Documentation and Deliverables : A list showing all the Competencies required or expected of the Staff holding such each position in the ICT Unit. The ICT Processes Page 23

27 Activity 12 : Identify Actual Competency Levels of all Staff Objectives : to analyze the education, experience, competence and project history of all staff. From this analysis, the Department would get a list of the Actual Competencies each person has. Later on, this can be used to compare the staff s actual competencies with the expected competencies as defined in the previous Activity. (Review Activity 11 : Identify the Required Competencies per Position). In a later Activity, the Department can analyze the gap between required and actual competencies therefore identifying training needs. (Review Activity 13 : Analyze Competencies to Identify Training Requirements). This would provide the Department with a solid basis for reaching the following : Evaluating the Performance of Staff Planning their Training Scope of usage : the whole Department but specifically, the ICT Unit. Risks : Not knowing the education, experience, competence and project history of the ICT staff may lead to improper use of current personnel, poor career path planning and inefficient training. If qualified staff are kept in the wrong positions, this would lead to demotivation and reduced performance as well as increase the risk of turnover. Standard Operating Procedure : 1) Prepare a list of all Positions in the ICT Unit. 2) For each staff member, analyze the following : Training attended within the Department Training attended before joining the Department Experience acquired within the Department Experience acquired before joining the Department Educational qualifications 3) Identify the Competencies each staff member has. Documentation and Deliverables : A list of all staff currently in the employ of the Department showing the Competencies of each. Good Practices and Recommendations : 1) Personal interviews may highlight Competencies that were not identified from the paperwork analysis. They may also help the Department drop some Competencies which were wrongly attributed to the staff member. The ICT Processes Page 24

28 2) Testing : in some cases, it may be useful to test staff to verify that they actually do have a certain Competency and that it has not been forgotten due to lack of experience or time. 3) It is often useful to have staff review their own Competencies and those of other colleagues. This would further help the Management with the identification process. The ICT Processes Page 25

29 Activity 13 : Analyze Competencies to Identify Training Requirements Objectives : to identify the training requirements of staff so that the training can be budgeted for, approved, planned and completed. Having completed the two previous Activities of Identifying the required competencies per position and Identifying all staff competency levels, the next step would be to analyze the Balance or the Gap between what Competencies are required and what each staff actually has. Scope of usage : the whole Department but specifically, the ICT Unit. Risks : Lack of proper training leads to reduced performance of the ICT Unit. If wrong training is offered, this may lead to the same damage Wrong training will also lead to wasted costs If staff are trained and not kept satisfied, they would leave the Department either to another employ or would request to be transferred. Standard Operating Procedure : 1) Complete the Activities discussed in the previous two Activities. These should produce a list of all required Competencies per position and a list of all Staff along with their actual Competencies. 2) Compare the two lists and identify the Gap or the Competencies needed by each staff member to be fit for the position that he or she is occupying. 3) Gap Analysis may result in the following cases : The staff may be over-qualified for the position The staff may be under-qualified for the position but untrainable The staff fits the position he or she is in very well The staff may be under-qualified for the position but trainable The first two situations have to be dealt with by the Department s management. The last situation is what is being sought in this Activity. It identifies the staff member who is short of his or her position s qualifications and would also define the Competencies needed to make the person fit for that position. 4) The list of all staff and their required competencies can now be sorted by Competency. This allows the Department to plan the training for all staff. Documentation and Deliverables : A list of all staff and their required Competencies. This can be resorted to show each Competency with a list of the Staff that require it. Good Practices and Recommendations : 1) Such an exercise should be repeated at least once a year. The ICT Processes Page 26

30 2) Such an exercise should strongly be tied in with Performance Evaluation practices. It is usual to have yearly evaluations. During each Performance Evaluation, the Department would test whether the particular Competencies had been acquired or not. 3) It is important that a person whose Competency is to be acquired through his or her own effort and not through training, should be informed that such a Competency will be tested during the next Performance Evaluation. (Examples such as language proficiency, communications skills, etc, can be acquired at the personal level and not through training). The ICT Processes Page 27

31 Activity 14 : Identify Training Resources Objectives : to setup and maintain a register of available training. There are many institutes offering training courses, workshops and programs in the field of ICT. With the advent of the Internet, many sites also offer free or chargeable online training. Risks : not having lists that are up to date will lead to loss of time when training is required. Secondly, not knowing what is available in terms of training may lead to misconceptions about what the staff may require in terms of their training. Standard Operating Procedure : 1) List all institutes that offer training with data about them : location, contacts, type of workshops, etc. 2) List key training areas offered by each institute 3) Relate each training area to specific Competencies identified earlier. 4) Correspond with institutes to keep the Department up to date. 5) Maintain a table of website links that offer free or chargeable online training. Good Practices and Recommendations : 1) The Department should have cost estimates for most of the training being investigated. 2) Technical exhibitions and forums can be of major benefit. These do not represent formal training. However, attending such exhibitions is always educational and would provide the staff with exposure to new technologies and products as well as present them with the chance to collect data sheets, attend lectures and discussions. 3) Such information collected by various ICT Units in the government should be consolidated. It can then be shared by setting it up on the web. The ICT Processes Page 28

32 Activity 15 : Manage Training Material Objectives : this Activity presents some Good Practices that aim at maintaining a list of all training material : documents, CDs, tutorials, web sites, etc. Different persons will attend different workshops or courses and bring back training material with them. Invariably, such material gets spread around the Department and will not be shared resulting in lost resources. Scope of usage : all the Department including the ICT Unit. Good Practices and Recommendations : 1) Prepare a register of all such training material. 2) Such material can also be included in the Configuration Management database. (Review Activity 9 : Setup the Configuration Management Process) 3) Share such registers or lists via the internal site of the Department or through regular announcements or inter office memorandums. The ICT Processes Page 29

33 Activity 16 : Maintain Training Records Objectives : to setup and maintain a Training Control Database. Training control systems have wide functions. However, it can be a simple matter to maintain a set of Training records for the ICT Unit staff. The main purpose would be to plan training, assign courses to staff and track the results of training per person and per institute or instructor. The application would cover the following functions by setting up the following records : Staff members Training institutes or training resources Available workshops/courses Required Competencies Actual Staff Competencies Planned training (Workshops, courses, etc) Records of the actual results with evaluations of courses, instructors and attendants Costing analysis Scope of usage : all the Department including the ICT Unit. Suggested Approach The Department can acquire such a system commercially. However, the design is not very complex and can be easily developed into a minor database. The ICT Processes Page 30